Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response

To Survive a Data Breach, Create a Response Playbook

Experts Detail Essential Systems and Procedures Every Organization Needs Now
To Survive a Data Breach, Create a Response Playbook
Ensure early warning systems are in place to detect breaches and other security incidents. (Photo: Tomasz Pro, via Flickr/CC)

To best survive a data breach, have a response plan. Also ensure early warning systems are in place to detect hack attacks. Identify everyone inside and outside an organization who must be involved in responding to a suspected breach - and how and when. And regularly practice and refine that plan so everyone knows what to do - and when - to help the organization rapidly shut down an intrusion and get back up and running.

See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

Those are just some of the essential steps that information security experts identify for helping organizations to better defend against attacks, as well as detect and mitigate data breaches (see: Why a Data Breach Response Plan Is Essential).

Here are seven essential components of a data breach preparedness plan.

1. Invest in Monitoring and Detection Capabilities

Many organizations hedge their data breach notifications by saying something akin to: "We have received no reports that potentially stolen data may have been fraudulently used." Such a lack of specificity, experts say, often traces to a breached business having failed to gather sufficient log data or retain it for a sufficient period of time.

Rocco Grillo

"Organizations need better monitoring - so we see what's going on; better detection and prevention, so if somebody is trying to access our network or crown jewels, we detect and prevent it sooner rather than later, and that kicks in our response plan, so our damages are limited," says Rocco Grillo, managing director of global cyber risk services at consultancy Alvarez & Marsal in New York (see: Advanced Threat Detection: Deception Tech's Role).

"We've seen so many attacks where the damage doesn't happen at the point of attack, it happens in the response" - or lack thereof - Grillo says. "We see companies that have been compromised and they didn't know about it for weeks or even for months. We need to reduce that proverbial dwell time," he says (see: Hackers Love to Strike on Saturday).

So businesses should not just be capturing log data, but monitoring it to immediately detect unusual or suspicious happenings. "The sooner we see something, the better our response," he says. "We want to limit the damage to our business, restore normal operations and get things back to normal."

Such monitoring and detection, from a technology standpoint, often takes many different forms, including intrusion detection systems as well as intrusion prevention systems. "Ensuring that you have firewall logs, IDS, IPS, and EDR - endpoint detection & response - running is critical," says Chris Pierson, CEO of cybersecurity firm Blackcloak, and a member of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee, as well as its cybersecurity subcommittee. "This allows for logs, URLs, and all other system responses to be reviewed, forensically analyzed - even analyzed remotely - and for machines to be taken off the network while doing a live response."

2. Build a Response Plan

What's your plan? Fictional professors of archaeology might get to say, “I don't know, I'm making this up as I go." Good luck trying that line on customers and regulators.

Brian Honan

There's no excuse for failing to plan ahead. “Organizations need to realize they will no longer be judged for having a security breach, but they will be judged on how well they respond to it," says Brian Honan, head of cybersecurity consultancy BH Consulting in Dublin. "So preparation is key to surviving a breach and in protecting your brand.

Having a good plan means organizations spend less time figuring out how to fight proverbial fires, and move straight to firefighting.

"Companies need to make sure they have a plan, and not only a plan, but to ensure it's continually updated," Grillo says. "You can be the best firefighter in the world, or have them [contractually] engaged, but at the same time, getting caught flatfoot, or getting caught unprepared, leads to people running around with their hair on fire, for lack of a better term."

3. Regularly Review and Update Plans

Chris Pierson

Gaining corporate agreement and buy-in to have a data breach response plan is just the start. Organizations also need to ensure that it's a good plan, of course, and that they regularly practice and refine it.

"The single most important factor here is to set up all of this now, ahead of time, get buy-in from all levels of the company, including the board and to practice based on at least six scenarios over the course of 12 months," Pierson says.

Pierson says that at a minimum, the six scenarios he would practice include:

  • External hack and data theft;
  • Malicious insider;
  • Loss of employees' personally identifiable information;
  • Some type of physical loss of data;
  • Ransomware event or distributed denial-of-service disruption, including third-party service provider disruption;
  • Attack against the organization's intellectual property or C-suite executives.

Security incident response should not stand alone from other types of disaster recovery planning, says BH Consulting's Honan, who's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol. "Integrating your incident response plan with your business continuity plan is crucial to ensuring your operations continue in the event of a breach," he says. "Make sure your business continuity testing scenarios include cyberattacks and not just the traditional business continuity issues of fire, flood, and so on."

4. Practice Paying Ransomware Attackers

Responding to such scenarios may involve wildly different components. But practicing is also an excellent way to not only test how to respond, but which internal and external services might need to be readied.

For example, Grillo says he's worked with organizations to run exercises about how they would respond if their most critical assets - such as patient data for hospitals or flight system for airlines - got hit by ransomware.

"As much as you say don't pay or we'll never pay, do you have the means in place - the bitcoin assets - where if you found yourself in a situation, do you have the means to do that in the time allocated by an attacker?" he says. "And even further to that, we've seen more and more cyber insurance policies that have coverage for cyber extortion situations. So it's something that companies should look at."

Grillo says he's not advocating that anyone pay a ransom, but rather that they practice how they will respond in advance, rather than having a first go only after they're being threatened with a 24-hour deadline to pay a ransom. During a crisis, "you don't have time for committee decision-making," he says.

5. Identify Breach Response Stakeholders

When developing a data breach response plan, identifying everyone who must be involved in the plan - as well as at which stages - is key, as is doing so in advance.

Nicole Friedlander

"Today, in working on their cyber preparedness, companies regularly involve areas of the company outside information security, including counsel, compliance, senior management and the board, all of which play a really important role in the cybersecurity context," says attorney Nicole Friedlander, a partner at Sullivan & Cromwell in New York.

"And they're involving key external parties like outside counsel and forensics firms," says Friedlander, who previously headed the complex frauds and cybercrime unit at the U.S. Attorney’s Office for the Southern District of New York. "This significantly speeds up their ability to react to a breach and minimizes the risk of confusion and mixed messages that can otherwise result in a crisis."

6. Run Tabletop Exercises

How will your organization react to a breach?

"Internally, the critical players must understand their roles, have guidelines and policies in place, have a data breach playbook, have regular exercises, and cover all aspects of internal and external communication and governance," Pierson says.

Running tabletop exercises - aka mock cyberattacks - is an excellent tactic for refining plans, which is why the military has been using them "since the beginning of time," Grillo says. "Go through potential scenarios of how your organization could potentially be attacked, especially on the critical assets, and map that back to your incident response plan."

No organization can predict with utter certainty how it will be hacked, "but we can focus on cyber resilience, being proactive, being better prepared and having better response," Grillo says. "We're never going to have the crystal ball. But it sure beats getting caught completely blindsided. We can run through scenarios, and what these tabletop exercises do for us is not only making people aware, but also points of escalation."

After running an tabletop exercise - or responding to an actual breach - always have a post-breach or after-action debrief.

"Everyone likes to get a pat on the back for the things we did right, but at the same time, what did we learn from that attack or exercise; what could we have done better?" he says. "That's why a response plan is a living, breathing plan. And we try to get better each time whether it's technology that we're embracing or the regulatory landscape," such as dealing with the EU General Data Protection Regulation's 72-hour notification requirement.

7. Watch How Peers Get Pwned

Pay attention to attacks against other organizations in your industry. "Groups conducting attacks, whether for financial gain or other motives, will frequently use the same methods of compromise," says David Stubley, CEO at 7 Elements, a security testing firm and consultancy in Edinburgh, Scotland. "There really is no excuse for being the third, fourth or even the hundredth company to be breached by threat actors using the same modus operandi" (see: Ransomware School: Learn Lessons From How Others Fail).

David Stubley

For sharing real-time threat information and protective measures, security experts recommend joining the U.S. Secret Service Electronic Crimes Task Force program and FBI InfraGard public/private partnership programs. In the U.K., the National Cyber Security Center - part of GCHQ - runs the Cyber Security Information Sharing Partnership.

Many industry-specific initiatives are also available for sharing threat intelligence. Also never underestimate the power of networking and employees maintaining relationships with their counterparts in other organizations to keep track of the latest threats and trends.

(See part two of this series, "Surviving a Breach: 8 Incident Response Essentials," offering more tips.)

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.